Albert Gonzalez Enters Plea Agreement in Heartland, Hannaford Cases

Albert Gonzalez, who has admitted hacking into TJX and other companies, has filed a plea agreement in charges that he breached Heartland Payment Systems, Hannaford, 7-Eleven and two other companies.

Under the terms of the agreement, Gonzalez, a former Secret Service informant, will plead guilty to two counts of conspiracy to gain unauthorized access to computers, and to commit wire fraud. Prosecutors have agreed to seek a sentence of no more than 25 years, to run concurrent with his sentence in two other pending cases. Gonzalez had agreed to ask the court for no less than 17 years in prison.

Gonzalez is currently facing a sentence of between 15 and 25 years in two combined cases out of Massachusetts and New York, involving the hacks of TJX and Dave & Buster’s restaurants. The New Jersey agreement would add two years to the minimum time he could seek.

Gonzalez, 28, was indicted in August in New Jersey — along with two unnamed Russian conspirators — on charges of hacking into Heartland, the New Jersey-based card processing company, as well as Hannaford Brothers, 7-Eleven and two unnamed national retailers.

According to the plea agreement, between October 2006 and May 2008 Gonzalez and an associate identified as “P.T.” — possibly indicted TJX co-conspirator Damon Patrick Toey — picked out hacking targets from a list of Fortune 500 companies, and then did reconnaissance to determine the payment-processing systems they used and uncover vulnerabilities. Gonzalez leased and controlled servers in Latvia, Ukraine and the Netherlands to store malware, launch the attacks against the networks and receive the stolen numbers.

Using a SQL-injection attack, the two Russian hackers allegedly broke into the 7-Eleven network in August 2007 through the company’s website, then routed their way to a server connected to the stores’ ATMs, resulting in the theft of an undetermined amount of card data. They allegedly used the same kind of attack to infiltrate Hannaford Brothers in November 2007, resulting in 4.2 million stolen debit and credit card numbers; and into Heartland on Dec. 26, 2007. Of the two unnamed national retailers mentioned in the affidavit, one was breached on Oct. 23, 2007, and the other sometime around January 2008.

Once on the networks, the hackers installed back doors to provide them with continued access at later dates. According to authorities, the hackers tested their malware against some 20 different antivirus programs to make sure they wouldn’t be detected, and also programmed the malware to erase evidence from the hacked networks to avoid forensic detection.

Although documents in the New Jersey case don’t identify the two Russians, a sentencing memo filed in the TJX case in Massachusetts last week revealed the online nicknames of the two hackers to be “Grigg” and “Annex.” Parts of the memo discussing the two Russian hackers were redacted, but the redaction was done poorly and Threat Level was able to uncover the concealed portions.

According to the memo, Gonzalez described for prosecutors how “Grigg” and “Annex” hacked into Hannaford Brothers through a vulnerability in the computer systems of Hannaford’s parent company Delhaize. He gave prosecutors the information in late 2008, nine months before he was indicted in New Jersey on charges that he and the two Russians breached Hannaford.

Gonzalez is scheduled to enter his plea at a hearing in the New Jersey case on Dec. 29, after which a date will be set for his sentencing. He’s scheduled to be sentenced in the TJX and Dave & Buster’s cases in March. That sentencing was originally scheduled for Dec. 21, but as Threat Level previously reported, it was delayed after Gonzalez’s attorney filed a psychiatric evaluation with the court indicating that Gonzalez suffered from symptoms consistent with Asperger’s Disorder.

On Monday, U.S. District Judge Patti Saris rejected a request from prosecutors to obtain their own psychiatric evaluation of Gonzalez, but said she’d reexamine the issue once the government’s psychiatric expert offers specifics on the “needed areas of inquiry.”